-
Notifications
You must be signed in to change notification settings - Fork 1.3k
[SECRES-5300] Add documentation for SCFW GitHub Action #38033
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -8041,6 +8041,11 @@ menu: | |||||
| url: /security/code_security/dev_tool_int/mcp_server/ | ||||||
| parent: dev_tool_int | ||||||
| weight: 5 | ||||||
| - name: SCFW GitHub Action | ||||||
| identifier: dev_tool_int_scfw_github_action | ||||||
| url: /security/code_security/dev_tool_int/scfw_github_action/ | ||||||
| parent: dev_tool_int | ||||||
| weight: 5 | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| - name: Tools Reference | ||||||
| identifier: dev_tool_int_mcp_server_tools_reference | ||||||
| url: /security/code_security/dev_tool_int/mcp_server/tools_reference/ | ||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -40,7 +40,7 @@ Code Security scans your first-party code and open source libraries used in your | |||||||
| - [Runtime Code Analysis (IAST)][3] for identifying vulnerabilities in the first-party code within your services | ||||||||
| - [Secret Scanning][8] for identifying and validating leaked secrets | ||||||||
| - [Infrastructure as Code (IaC) Security][10] for identifying security misconfigurations in IaC stored in your repositories | ||||||||
| - [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories | ||||||||
| - [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories | ||||||||
|
|
||||||||
| Code Security helps teams implement DevSecOps throughout the organization: | ||||||||
| - **Developers:** early vulnerability detection, code quality improvements, faster development as developers spend less time debugging and patching. | ||||||||
|
|
@@ -106,12 +106,11 @@ With [Cloud Security Management (CSM)][18], you can see misconfigurations in IaC | |||||||
| Use this form to submit your request to join the Supply Chain Security Preview. | ||||||||
| {{< /callout >}} | ||||||||
|
|
||||||||
|
|
||||||||
| Supply Chain Security prevents malicious open source packages from entering your development environments at the point of installation, before they reach your repositories or CI/CD pipelines. | ||||||||
|
|
||||||||
| Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed. | ||||||||
|
|
||||||||
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by GuardDog), known vulnerability advisories, and configurable recency thresholds. When it flags a package, it blocks installation immediately with a clear, actionable message (on both developer laptops and CI runners). | ||||||||
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20]. | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||
|
|
||||||||
| In addition to protecting individual developer machines or CI pipelines, SCFW provides event observability to search, filter, and audit ALLOW, WARN, and BLOCK events across developer machines and CI systems in a unified event feed. | ||||||||
|
|
||||||||
|
|
@@ -140,3 +139,4 @@ The [Code Security MCP Server][19] is a local Model Context Protocol (MCP) serve | |||||||
| [17]: /security/code_security/iac_security/setup/?tab=github | ||||||||
| [18]: /security/cloud_security_management/ | ||||||||
| [19]: /security/code_security/dev_tool_int/mcp_server/ | ||||||||
| [20]: /security/code_security/dev_tool_int/scfw_github_action/ | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,106 @@ | ||||||||||||||||||
| --- | ||||||||||||||||||
| title: Supply Chain Firewall GitHub Action | ||||||||||||||||||
| description: Keep malicious packages out of your CI/CD runners with Datadog's GitHub Action for Supply Chain Firewall. | ||||||||||||||||||
| is_beta: true | ||||||||||||||||||
| disable_toc: false | ||||||||||||||||||
| further_reading: | ||||||||||||||||||
| - link: "https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewall/" | ||||||||||||||||||
| tag: "Blog" | ||||||||||||||||||
| text: "Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages" | ||||||||||||||||||
| - link: "/security/code_security/#supply-chain-security-preview" | ||||||||||||||||||
| tag: "Documentation" | ||||||||||||||||||
| text: "Supply Chain Security" | ||||||||||||||||||
| --- | ||||||||||||||||||
|
|
||||||||||||||||||
| The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| ## Usage | ||||||||||||||||||
|
|
||||||||||||||||||
| ```yaml | ||||||||||||||||||
| steps: | ||||||||||||||||||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||||||||||||||||||
|
|
||||||||||||||||||
| - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 | ||||||||||||||||||
| with: | ||||||||||||||||||
| version: '3.1.0' | ||||||||||||||||||
|
ikretz marked this conversation as resolved.
|
||||||||||||||||||
| package-managers: npm,pip | ||||||||||||||||||
|
|
||||||||||||||||||
| # npm and pip commands are now transparently intercepted by SCFW. | ||||||||||||||||||
| # Malicious packages are blocked; clean installs proceed normally. | ||||||||||||||||||
|
Comment on lines
+30
to
+31
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
| - run: pip install -r requirements.txt | ||||||||||||||||||
| - run: npm install | ||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| ### With Supply Chain Security integration | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| {{< callout url=https://docs.google.com/forms/d/1Xqh5h1n3-jC7au2t30fdTq732dkTJqt_cb7C7T-AkPc/viewform?edit_requested=true | ||||||||||||||||||
| btn_hidden="false" header="Join the Preview!">}} | ||||||||||||||||||
| Use this form to submit your request to join the Supply Chain Security Preview. | ||||||||||||||||||
| {{< /callout >}} | ||||||||||||||||||
|
|
||||||||||||||||||
| ```yaml | ||||||||||||||||||
| steps: | ||||||||||||||||||
| - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 | ||||||||||||||||||
| with: | ||||||||||||||||||
| dd-codesec-logger: 'true' | ||||||||||||||||||
| dd-api-key: ${{ secrets.DD_API_KEY }} | ||||||||||||||||||
| dd-app-key: ${{ secrets.DD_APP_KEY }} | ||||||||||||||||||
| dd-site: datadoghq.eu | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I recommend using the |
||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| ### With a cached `SCFW_HOME` directory | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| Caching `SCFW_HOME` avoids re-fetching verifier data on each run: | ||||||||||||||||||
|
|
||||||||||||||||||
| ```yaml | ||||||||||||||||||
| steps: | ||||||||||||||||||
| - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 | ||||||||||||||||||
| with: | ||||||||||||||||||
| path: ~/.scfw | ||||||||||||||||||
| key: scfw-${{ runner.os }} | ||||||||||||||||||
|
|
||||||||||||||||||
| - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 | ||||||||||||||||||
| with: | ||||||||||||||||||
| scfw-home: ~/.scfw | ||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| ## How it works | ||||||||||||||||||
|
|
||||||||||||||||||
| 1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| 2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| 3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise. | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Inputs | ||||||||||||||||||
|
|
||||||||||||||||||
| | Input | Description | Default | | ||||||||||||||||||
| |-------|-------------|---------| | ||||||||||||||||||
| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
| | `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | | ||||||||||||||||||
| | `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
| | `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — | | ||||||||||||||||||
| | `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — | | ||||||||||||||||||
| | `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` | | ||||||||||||||||||
| | `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` | | ||||||||||||||||||
| | `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
| | `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` | | ||||||||||||||||||
| | `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — | | ||||||||||||||||||
| | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | | ||||||||||||||||||
| | `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
| | `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` | | ||||||||||||||||||
| | `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
|
|
||||||||||||||||||
| ## Outputs | ||||||||||||||||||
|
|
||||||||||||||||||
| | Output | Description | | ||||||||||||||||||
| |--------|-------------| | ||||||||||||||||||
| | `scfw-version` | The installed version of Supply Chain Firewall. | | ||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we move the new left nav entry for the SCFW GitHub Action doc so it appears below line 8058, after the Troubleshooting topic nested under MCP Server in the left nav? The ordering works as far as how it renders on the docs site, but for maintainability, it would be better if the menu items match the order shown in the left nav.